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(54) Security module for a printing apparatus 

(57) A security module (1 00) is operatively disposed 
at the hardware/sottware interface (16,18) within a print- 
ing apparatus (1 4). The nnodule is disposed along a con- 
nection which acts, as a medium for command signals 



(32) to operate the printer hardware (18), and for status 
signals (36) to Indicate physical conditions within the 
hardware. The security module facilitates security pro- 
cedures which control aspects of printer operation, par-* 
ticularly the creation of MICR characters (112). 
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The present invention relates to a security module 
which can be incorporated within a printing apparatus, 
particularly to control the production of magnetic-ink- 
character-recognition (MICR) documents such as 
cheques. 

Printing apparatuses for rendering images on paper 
in response to digital data from a computer, such as 
electrophotographic "laser" printers and ink-jet printers, 
are familiar in many offices. Recently, the technology 
which is used in such printers has been found to be ap- 
plicable to the creation of documents having magnetic- 
ink, or MICR, characters therein. These MICR charac- 
ters are familiar as the characters which appear at the 
bottom of cheques. MICR characters are typically nu- 
merical characters which are rendered in an ink having 
magnetic material therein, so that when the characters 
are run across a magnetic read head, the changing 
magnetic flux on the readhead caused by unique indi- 
vidual MICR characters creates identifiable magnetic 
flux patterns in the read head. Each individual character 
(such as the numbers 0-9) has a unique magnetic flux 
pattern associated therewith, so that the characters can 
be rapidly read through the read head in an automated 
cheque-sorting process. In the United States, the font 
used for such MICR characters is known as "£138." al- 
though another font having the same function, known 
as "CMC7," is used in other countries. 

Because ^^ICR characters (defined as characters 
formed on a substrate with a magnetic material, with a 
font readable by a standard read head) are often used 
to create documents of value such as cheques, security 
measures must be provided to prevent unauthorized 
creation of fraudulent documents. In the context of dig- 
ital printing, such as electrophotographic or ink-jet print- 
ing, security measures for preventing unauthorized cre- 
ation of MICR documents can follow one or more pf 
three strategies: security procedures may be required 
for (a) access to the printing apparatus in .general; (b) 
access to the magnetic-or metallic-based- printing ma- 
terial, such as toner or liquid ink; or (c) access to the 
software by which MICR characters are created. The 
reason that alternatives (b) or (c) may be preferable to 
(a) is that, particularly for a large-scale work-group print- 
ing apparatus, the apparatus in general may be desired 
to be used by a large number of networked users for 
general purposes such as printing letters. In such a 
case, security procedures may be required only when 
MICR documents are created, with the apparatus being 
generally free for printing other documents. It is a pos- 
sible design option that a large-scale printing apparatus 
may provide a plurality of marking devices, such as xe- 
rographic development units or ink-jet ink supplies, only 
one of which includes the magnetic-based marking ma- 
terial for MICR characters. What is meant by "security 
procedures" is any provision for restricting access, such 
as the entering of a password by one br more persons. 



the insertion or sweeping of an authorization card, or 
even a physical locking of hardware, such as with a lock 
and key. 

In the prior art, US-A-4,264,808 discloses a system 

5 for separating the information on documents involved in 
accounting or banking transactions and for placing con- 
trol of the processing of the transaction on the separated 
infonmatton, instead of on the documents themselves. 
An "image lift unit" generates an electronic image of 

^0 each o1 a series of documents and also tags the docu- 
ments with Identification indicia to provide entry records 
which can be processed by a computer. 

US-A-4, 980,7 19 discloses a reproduction system 
for confidential documents which include image portions 

75 formed with magnetic or metallic toners. The reproduc- 
tion apparatus is capable of reproducing a visible image 
with non-metallic pigment corresponding to one portion 
of the desired image and using metallic or magnetic pig- 
ment in a second portion of the image. 

20 US-A-5,075,875 discloses a control system for a 
digital printer, which is coupled between the host com- 
puter and the raster image processor of the printer. Bi- 
directional communication exists among the host, the 
printer, and the microprocessor, on which the control 

2S system is operative. The system Includes an audit trail 
feature which enables the printer to maintain a record 
ot generating negotiable instruments such as cheques. 

. In providing a security system for a printing appa- 
ratus capable of producing MICR documents, a highly 

30 desirable feature. Is that the security system can be "ret- 
rofitted" in an existing printer design, or even in a pre- 
existing individual printing apparatus. In this way, a se- 
, curity system could be provided as a simple pptioh to a 
type of printing apparatus with which the customer Is al- 

35 ready familiar, or a security system coukd be designed 
for use with a printing apparatus manufactured by an- 
other vendor. 

It Is an object of the present invention to provide an 
Improved security system for a printing apparatus. 

40 According to one aspect of the present invention, 
there is provided a printing apparatus comprising an im- 
age output terminal for rendering an image on a surface 
according to imagewise digital data. The image output 
terminal includes a command receiving element for op- 

45 erating a mechanical element of the image output ter- 
minal In response to a command signal, and a stiatus 
element for producing a status signal in response to a 
condition within the marking engine. An electronic sub- 
system is adapted to output imagewise digital data and 

50 a command signal to the image output terminal, and to 
receive a status signal from the status element. A con- 
nection between the image output terminal and the elec- 
tronic subsystem acts as a medium for passage of com- 
mand signals and status signals therethrough. A secu- 

55 rity module, having a security algorithm associated 
therewith, is operatively interposed along the connec- 
tion between the image output terminal and the elec- 
tronic subsystem. The security module receives a com- 
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mand signal, processes the commahdliignal according 
to the security algorithm, and selectably outputs an al- 
tered command signal to the image output terminal. 

According to another aspect of the present Inven- 
tion, there is provided a security module for a printing s 
apparatus. A logic unit appliers a security algorithm to 
a command signal from an electronic subsystem which 
oihputs imagewise digital data and a command signal 
to an image output terminal for causing the image output 
terminal to render a desired image on a surface accord- 10 
ing to the digital data. The logic unit outputs an altered 
command signal to the Image output terminal In re- 
sponse to the security algorithm. 

A printing apparatus incorporating a security mod- 
ule in accordance with the invention will now be de- is 
scribed, by way of example, with reference to the ac- 
companying drawings, in which> 

Figure 1 is a systems diagram showing essential 
elements of a printing apparatus known in the prior 20 
art; 

Figure 2 is a systems diagram showing a printing 
apparatus in operation with a security module ac- 
cording to one aspect of the present invention; and 
Figures 3A and SB are perspective views of two 2S 
possible physical configurations of the security 
module according to the.present Invention. 

Figure 1 is a diagram showing the essential ele- 
ments of a printing apparatus according to the famlljar 30 
"personal computer" model known in the prior art. Ac- 
cording to this model, a host computer 10, such as a 
familiar personal computer, is connected by a bus 1 2 to 
a printer .generally indicated as 1 4. It is to be understood 
that the bus 12 could be in the form of a network, and 3S 
that a number of host computers 1 0 may selectably ad- 
dress the printer .14 through bus 12 by means such as 
the "Ethernet" protocol. 

As illustrated in Figure 1 , printer 14 is conceptually 
divided into two portions, an electronic subsystem 40 
(ESS) indicated as 16 and an image output terminal 
(lOT) indicated as 18. This division of a printing appa- 
' . ratus is in fact fairly common in the design of digital print- 
ers. 

Turning first to the image output terminal, lOT 1 8 is 45 
intended to encompass all of the electro-mechanical 
hardware which is directly relevant to creating marks on 
a sheet according to imagewise digital data. Such hard- 
ware is typically related to either a electrostatographic 
or ink-jet printing technique. As such, lOT 18 is further 50. 
divided in Figure 1 Into distinct portions, such as imager 
20 and transport 24. These general terms can be ap- 
plied to many types of printing techniques. For example, 
if printer 14 is a xerographic "laser" printer, imager 20 
would typically comprise a raster output scanner (ROS) 55 
laser, which outputs a scanning beam which is modu- 
lated according to digital data, while the transport 24 in- 
cludes a photoreceptor having a charged surface, which 



moves past the Imager ^BWthat the laser can selecta- 
bly discharge desired areas to form an electrostatic la- 
tent image which is subsequently developed with toner 
and transferred onto a print sheet (by means not 
shown). If printer 14 is.of the ink-jet type, imager 20 nhay 
be In the form of a ink-jet printhead, and transport 24 
may be in the form of a paper transport which causes 
the print sheet to move past the ink-jet printhead may 
selectably deposit liquid Ink in desired areas, on the 
sheet to lorm the image. What Is important is that imager 
20 accepts digital video data directly representative of 
the image desired to be printed, while transport 24 is a 
mechanical element which enables the imager 20 to cre- 
ate the desired image on a sheet which is output on the 
printer, such as through path 28. 

Electronic subsystem or ESS 16 represents the por- 
tion of the printer 1 4 which directly controls the hardware 
in lOT 18. As can be seen in Figure 1, there exists a 
video line 30 from ESS 16 to imager 20 of lOT 1 8. Video 
line 30, which may be in the form of a serial cable or 
parallel bus, applies digital data to the imager 20 so that 
the imager may modulate a laser beam in a raster output 
scanner or selectably activate individual ejectors in an 
ink-jet printhead. There is also at least one (and typically 
more) command line 32. along which ESS 16 outputs 
any number of command signals to particular mechan- 
ical elements in lOT 18. A "command signal" shoukJ be 
understood as a signal which is directly operable on a 
mechanical element, such as a motor or a relay, within 
this lOT 18. The mechanical element, therefore, can be 
seen as a "command receiving element," because the 
mechanical element performs a function (e.g., a motor 
starts rotating, or a fuser warms up) in response to a 
command signal from the ESS 1 6. 

As command signals go from ESS 1 6 to a command 
receiving element such as 24 in lOT 18, lOT 18 can out-, 
put status signals to ESS 16. Figure 1 shows an exam- 
ple detector 34 which outputs a status signal along sta- 
tus line 36 back into ESS 16. One common function of 
a detector such as 34 is to determine, such as by a me- 
chanical trip switch or a photodetector, whether a print 
sheet is properly positioned within the lOT 18 at the be- 
ginning of a print cycle. Of course, if no print sheet is 
properly- fed in the lOT 18 at the beginning of a print 
cycle, there will be no sheet on which to form the image; 
if sheets are improperly fed, the lOT 18 will jam and the 
desired image will not be successfully printed. These, 
are two examples of many possible conditions which 
can be detected by one or inore detectors in a manner 
which is familiar to those of skill in the art. For present 
purposes, what is important is that a detector 34 having 
a particular purpose related to a physical condition with- 
in lOT 18 (e.g.. a sheet is not available in a particular 
position, more than one sheet has been fed onto the 
transport) is capable of outputting a status signal 36 to 
the ESS 1 6, the status signal 36 having a predetermined 
meaning relevant to the operation of lOT 18. For exam- 
ple, detector 34 could output a digital 1 when a particular 
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mechanical sequence has been successfully perfonned 
In the lOT 18, or could output the digital 1 status signal 
if a malfunction is detected; the actual configuration and 
meanings of any particular status signal will depend on 
the specific design of the lOT 

In addition to controlling the mechanical elements 
of lOT 1 8 through command line 32 and receiving status 
signals through status line 36, a key familiar function of 
EiSS 1 6 is to receive from host 10a stream of information 
relevant to the desired image to be printed. Typically, a 
'page description language" technique is used. Under 
this familiar technique, host 10 outputs a set of charac- 
ters in ASCII or similar format, along with instructions to 
the ESS 16 to render these characters in a particular 
font. The desired font is in the form of bitmaps which are 
sent along video line 30 to imager 20 for creating each 
individual character as required. These bit maps are.typ- 
ically stored at ESS 16, although it is also possible that 
ESS 16 could accept the bitmaps for an unusual font 
from another computer as required. This is the general 
technique carried out by page description languages 
such as HP-PCL or PostScript 

The video line 30, command line 32, and status line 
36 shown in Figure 1 are collectively indicated as a "con- 
nection" 40, which acts as a medium for passage of 
command signals and status signals therethrough. In a 
physical manifestation of a printer such as 14, the vari- 
ous connection between the ESS 1 6 and the lOT 1 8 are 
formed on a single cable harness which provides the 
interconnect at the ESS/IOT interface. In one common 
hardvyare design, such a connection is in the form of a 
26-pin plug and socket arrangement which forms this 
connection, The twentyrslx pins are variously assigned 
different functions, according to a particular printer de- 
sign, and many of the pins may not be used, but some 
typical arrangements of these pins and the cable har- 
ness forming connectbn 40 include two lines for the vid- 
eo data (generally corresponding to video line 30), two 
lines for "line synchronization;" two lines for "start of 
scan synchronization;" and one line for "page synchro- 
nization." All of these parameters are relevant to proper 
operation of a raster output scanner in an electrophoto- 
graphic printer, and their functions will be apparent to 
one of skill in the art. Typically two further pins are pro- 
vided for the output of status signals and two pins are 
set aside for command signals. Whatever the specific 
meaning of "status" and "command" signals in any par- 
ticular printer design from a particular vendor, these def- 
initions of status and command signals as required to 
describe the present invention are defined iri the spec- 
ification and claims herein. 

As mentioned above, if a printer such as 14 is used 
for the creation of MICR characters (that is, characters 
formed with a magnetic or metallic-based material using 
particular MICB fonts), it wilt be desirable to provide a 
security system to restrict access either to the printer 1 4 
as a whole, or else to one or both of the magnetic mark- 
ing material, or the special MICR fonts. According to the 



present invention, there is proposed a security module, 
capable of requiring various security procedures, which 
function at the interface indicated as connection 40 in 
Figure 1 . That is, the security module of the present in- 
5 vention operates at the software/hardware interface 
within the printer 14. 

Figure 2 is a systems diagram showing the opera- 
tion of a security module 100 according to the present 
invention as it interacts with the ESS 16 and lOT 18 of 
10 printer 14, as well as with the host computer 10. The 
function of security module 100 is to accept the usual 
input of characters and other infomnation from computer 
10, and in general most of such information Is directly 
passed through ESS 1 6, such as through a bus or other 
IS connection 102 where the information is processed by 
the ESS 16 for printing as though the security module 
100 were not there. 

Only certain Information from host 10, specifically 
that informatbn relating to MICR characters (either be- 
20 cause the characters are intended to be printed with 
magnetic material, or are intended to use a MICR font), 
is processed by security module 100 according to a "se- 
curity algorithm." As used in the specification and claims 
herein, a security algorithm is a program or portion of a 
25 program In which a user is required to enter a security 
procedure in order to perform a particular function which 
. is requested of the printer 14. Such a "security proce- 
dure" may include, for example, the entry by one or more 
persons of unique passwords; the insertion or sweeping 
30 of a magnetically-encoded card; or the turning of a key- 
operated switch. Alternatively, an arrangement may be 
provided which combines various security procedures, 
such as providing an external box in which a key must 
be used to access a slot for the encoded card. Th.ese 
35 security procedures may be required by the security al- 
gorithm to pemnit a particular user to either access print- 
er 1 4 in general; access a particular source of magnetic 
printing material (such as a development unit or liquid 
ink supply) within the lOT 18; or to use the ESS 16 to 
40 create MICR fonts such as E13B or CMC7. 

Figure 2 shows how security module 100 of the 
present invention is arranged along the connection be- 
tween ESS 1 6 and lOT 1 8 In such a manner that security 
module 100 is operatively interposed along both com- 
45 mand line 32 and status line 36. In this manner, com- 
mand signals from ESS 16 intended for lOT 18 will be 
subject to the functions of the security algorithm within 
security module 100, and similarly certain status signals 
36 from lOT 18 intended for ESS 16 may be subject to 
50 alteration by security module 100. 

When any particular status signal or command sig- 
nal which may be relevant to a security function passes 
along the connection and also through security module 
100, security module 1 00 will process the signal accord- 
55 jng to the security algorithm and if necessary alter the 
signal before it reaches its destination within printer 14. 
By "altering" a signal, It is meant that security module 
1 00 nhay output a different signal in place of the received 
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signal, or may elect to simply not traPBmit the signal, or 
send a signal to someplace besides the place yNhere the 
original signal was intended to go; that is, the 'altered 
signal" may in fact be no signal. The application of the 
security algorithm, and the selectable output of an al- 
tered command or status signal in reponse to the secu- 
rity algorithm being applied to an original command or 
status signal, Is carried out by a "logic unit" (not shown) 
within security module 100. Such a logic unit may be 
embodied by. for example, a suitably-programmed mi- 
croprocessor operatively connected to command lines 
32 and status lines 36. 

To take concrete examples of this principle of the 
security module, consider a basic case where host 10 
instructs the printer 14 to print certain characters with 
the E13B MICR font, in . a document having characters 
of various other fonts as well. Information relating to the 
other fonts will be simply passed through along bus 102 
for use by the ESS, and is never touched by security 
module 100. Optionally, the ASCII characters intended 
to be printed In the MICR font can be passed along to 
the ESS 16 as well without alteration. The information 
from host 10 which is of interest to security module 100 
would be the instruction to print certain characters with 
theEISBfont. In order to print such characters, security 
authorization will be needed. It is the purpose of the se- 
curity algorithm within security module 1 00, upon noting 
this important font instruction, to check, through soft- 
ware means which would be familiar to one of skill in the 
art, to see whether the particular requester at host 1 0 is 
authorized. As mentioned above, this authorization can 
come from the entering of a suitable password by the 
user on host 10 (and also optionally, another password 
issued by a systems administrator at another host or at 
a panel on the security module 100 itself), or the inser- 
tion or sweeping of a magnetically readable card at the 
security module 100. This card entry is shown generally 
as 1 1 0 as a portion of security module 1 00. 

Whether or not the proper authorization is manifest 
in one of the security procedures will effect the behavior 
of signals passing through 100. In one simple case, it 
will inevitably be required that a command signal even- 
tually come from ESS 16 through line 32 into lOT 18 In 
order to start the printing process. If the security algo- 
rithm in the security module does not receive the nec- 
essary security procedure, security module 100 can 
function to prevent any use of the lOT 18 by altering the 
signal from ESS 16 that starts the transport, by output- 
ting no signal where the start signal would have been. 
' This would be the most obvious method of preventing 
printing of an unauthorized MICR document. However, 
depending on the particular design of the IOT.18, a dif- 
ferent alteration of the command signal can be made. 
For example, it the lOT 18 has two available sources of 
• marking material, one magnetic and one non-magnetic, 
such as two development units or two liquid ink supplies, 
the altered signals on command line 32 could alter the 
request to use the magnetic marking material and sub- 
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stitute therefore a reqUiirto use the non-magnetic 
marking material, such as by activating one develop- 
ment unit instead of the other. In this way, the lOT 14 
will output the desired image, except not with the mag- 
s netic nri^erial necessary for MICR characters. 

Security module 100 can also be used to respond 
to status signals on status line 36, where such status 
signals are relevant to security considerations. For ex- 
ample, It is a common design in work group printlQg ap- 
10 paratus that if there Is a misfeedor paper jam within the 
lOT 18, the lOT 18 will be controlled by the ESS 16 to 
simply print out the misfed image once again on a sub- 
. sequent sheet. However, if a series of cheques are be- 
ing produced, this fairiy comnrx)n recovery technique 
15 could result in the production of two cheques where only 
one vyas intended. Thus, a paper jam or misf eed detect- 
ed by a detector 34 in lOT 18 could present a security 
problem. So, when a detector such as 34 outputs a par- 
ticular misf eed or paper jam status signal on status line 
36, security module 100 outputs back onto line 36 an 
altered signal, such as a signal to override the program- 
ming in ESS 1 6 that would cause a reprint, and also may 
output either on status line 36 or through bus 102, an 
instruction to display some sort of error message at a* 
graphical user interface responsive to the ESS, such as 
shown here by 120. This error message, which may 
read something like "Paper misfeefd at printer, cheque 
number 101 not printed" may also be communicated 
through connection 1 2 to host 1 0 as needed. In this way, 
30 security mcxdule 100, which Is operatively disposed 
along command signal line 32 and status signal line 36, 
can be made sensitive to any behavior of the ESS or 
lOT which may have a security implication. 

The "secure" font for printing MICR characters, 
35 such as the E13B font or the CMC7 font, is preferably 
resident directly on security module 100, and Is not Im- 
mediately accessible to ESS 16 as would other fonts 
such as Roman. Such a "font card" is shown in Figure 
2 as 112. Under Jhis arrangement, whea host 10 
40 presents a request to printer 14 to print in a MIGR font; 
ESS 16 must request and access the font card 112 
through security module 100. Ordinarily, for other fonts, 
the bitmaps for the fonts are resident within ESS 1 6, and 
' typically placed In a hard or non-volatile form such as in 
45 a read-only memory. When the MICR font Is accessed 
through security module 100, assuming that the neces- 
- sary security algorithms have been satisfied, the bit- 
maps for the font are entered throuigh bus 102 into ESS 
16, but placed in ESS 16 in a non-permanent form such 
50 as in a volatile memory. The MICR fonts can then be 
used by ESS 16 as though they were resident fonts, but, 
significantly, these bit maps are erased or otherwise 
made Inaccessible when certain predetermined exter- 
nal events occur to ESS 1 6. For example, security mod- 
55 ule 100 or ESS 16 could be programmed to erase the 
bitmaps in response to a power shut off, the printing of 
a certain number of prints, or the end of a job. Further, 
it Is conceivable that either security module 100 or ESS 
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16 could include means by wFnch a running total of all 
cheque amounts printed by a particular user could be 
compiled over time and compared to an available ac- 
count kept elsewhere In the system. The important tunc- 
tion is that access to the font card 11 2 is only temporary 
and can be revoked as part of the security algorithm in 
security module 100. ^ 

Another security aspect of font card 1 1 2 may be that 
the font card can in fact be placed on a physically re- 
movable card, such as a PCMCIA card, which can be 
selectably inserted and removed from the security mod- 
ule 100 to further prevent unauthorized access to the 
font. In order to access the font card, a particular user 
• may have to physically obtain the card 112 from an au- 
thorized person. Further, there may be provided on the 
security module 100 a key mechanism such as shown 
as 1 1 4, which may operate to selectably shut any open- 
ing in which the font card 112 is to be inserted. The font 
card 112 may include, in addition to the MICR character 
font bitmaps, other security-sensitive bitmaps, such as 
a corporate logo. 

Another feature of practical importance to security 
module 100 is the availability of a memory for keeping 
records of all MICR documents made by the printer 14. 
Such an "audit trail" memory is Illustrated in Figure 2 by 
non-volatile memory (NVM) 130. Such a "memory" 
could include, for example, an instantaneous hardcopy 
printing of a record of prints made, Under this system, 
when a MICR document invoking the security algorithm 
is printed, certain character strings, such as would be 
found in a cheque, are simultaneously copied into the 
non-volitile memory 1 30. Such character strings may in- 
clude the payee, and the amount. Also, there may be 
' included either at the security module 1 00 or at the audit . 
trail memory 1 30, other provisbns which are tied to the 
particular image data, such as the time of printing, and 
the identity of the last person to invoke the. security al- 
gorithm. This copying of relevant character strings may 
be carried out by the same "logic unit," such as a micro- 
processor, which outputs altered status and command 
' signals in reponse to a security algorithm. 

As shown in Figure 2, security module 100 is oper- 
atively disposed along the command signal line 32 and 
the status signal line 36, but does not necessarily inter- 
act with video line 30, by which the ESS 16 directly 
sends digital image data to the imager 20 in lOT 1 8. This 
is the preferred embodiment of the present invention, 
although an architecture in which the video line 30 is 
also subject to the security algorithm within security, 
module 100 is possible. However, it has been found that 
merely controlling the command and status lines be- 
tween the ESS 1 6 and lOT 1 8 is satisfactory for perform- 
ing any common security procedure. One possible se- 
curity feature which directly involves the digital signals 
• along line 30 would be a possible design in which, 
should the MICR font bit maps in font card 11 2 be una- 
vailable, the security module 100 loads into ESS 16, 
through bus 102. certain default characters instead of 
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the desired MICR characters. These default characters; 
which may be simple Roman characters or special blank 
or other characters, would manifest themselves on the 
digital data on video line 30. 

The physicar presence of security module 100 
along a command line 32 and a status line 36 may be 
relatively simply made, because in many common 'de- 
signs of printers, as mentioried above, these lines are 
part of a wire harness having plugs and sockets be- 
tween ESS 16 and lOT 18. A hardware device which 
could re-route lines such as 36 and 32 as shown in Fig- 
ure 2 could simply be provided by a plug and socket 
corhbination adapted to be interposed between a plug 
and a socket between an ESS 16 and lOT 18 of a pre- 
existing printirig apparatus: Therefore, a printing module 
such as 100 is relatively easily "retrofitted" in existing 
designs of printers, or even in printers which have al- 
ready been installed. 

It is significant that the security module 100 of the 
present invention carries out its security function within 
the printer 14, and particularly along the software/hard- 
ware interface within the printer 14 itself. This configu- 
ration represents a significant improvement over a sys- 
tem such as in US-A-5,075,875, which carries out se- 
curity and audit trail procedures at a microprocessor 
which is operatively disposed between the host and the 
printer. Because the security module of the present in- 
vention operates between the control software and the 
hardware within the printer itself, its function will be less 
intrusive to individual users at various hosts, particularly 
when there are a multiplicity of possible hosts distributed 
among a network. Further, because the security module 
100 of the present invention directly receives status in- 
formation at the hardware level from status line 36 {such 
as to individual paper feed and position detectors with 
an lOT 18), specific physical conditions within the print- 
er, which may have security considerations, can be 
readily identified, and only those conditions which have 
security considerations would be allowed to halt the 
process. A system which resides between the host and 
the printer as a whole is less likely to be able to react 
properly to hardware faults within 'the printer. Because • 
the security module of the present invention exists at a 
software/hardware interface, the security module may 
. be relatively difficult to circumvent by a hacker who may 
conceivably be able to get around a security system* 
which is external to the printer and therefore, may be 
considered to be as much "on the network" as any other 
host computer. 

Figures 3A and 3B are simplified perspective views 
showing possible physical configurations of a security 
module 100 in , combination with a pre-existing printing 
apparatus, each type shown as 14 respectively in the 
Figures. In Figure 3A, the security module 100 is placed 
in a box which is intended to rest on or next to the printer 
itself, and in the Figure 38 embodiment, the security 
module 100 is configured to be placed under a desk-top 
printer. In both cases, the important user-accessible 
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portions of the module are a card .sia 111. which will 
accept a magnetically-encoded card, a font card slot 
113, which will accept a font card such as a PCMCIA 
card, and a physical key lock 1 1 4. Once again, the phys- 
ical key lock 114 could be used either to enable the en- 
tire security, module and thereby the entire printer, or 
conceivably could be used to restrict access to the font 
card slot 113 into which a font card can be inserted. 



Claims 



'aW^nc 



10 , 



1/ A printing apparatus comprising : 

an image output terminal (18) for rendering an 
. image on a surface according to imagewise dig- 
ital data, including at least one command re- 
ceiving (element for operating a mechanical el- 
ement of the image output terminal in response 
to a command signal, arid a status element for 
producing a status signal In resporise to a con- 
dition within the marking engine; 
an electronic subsystem (16), adapted to out- 
put imagewise digital data and a command sig- 
nal to the image output terminal, and to receive 
a status signal from the status element; 
a connection (32,36) between the Image output 
temninal and the' electronic subsystem, the con- 
■ nection acting as a medium for passage of com- 
mand signals (32) and status signals (36) there- 
through; and 

a security module (100), having a security al- 
gorithrn associated therewith, operatively inter- 
posed along the connection (32,36) between . 
the image output termirial and the electronic 
subsystem (16), the security module being 
adapted to receive a command signal, process 
the command signal according to the security, 
algorithm, and selectably output an altered 
command signal to the image output terminal. 
"f . \ ' 

2. The apparatus of claim t, the security module (100) 
being adapted to receive a status signal (36), proc- 
ess the status signal according to the security algo- 
rithm, and selectably output an altered status signal 
to the electronic subsystem (1 6). 

3. The apparatus of claim 1 , the Image output terminal, 
comprising a user Interface (1 20). 

4. The apparatus of claim 1 , the electronic subsystem 
(16) Including a font generator for outputting char- ' 

' acter bitmaps in the digital data, the character bit- 
maps being derived from a character set, and the 
security module (100) including 

a secure character set (11^) resident therein, 
the secure character set. being transferable to 



the font generaT^^nd 

means for transferring the secure character set 
to the font generator in response to a security 
procedure. 

5. The apparatus of claim 1 , the security algorithm in 
the security module (100) Including means requir- 
ing a security procedure for causing the security 
module Jlo output commands to the image output 
terminal (:t 8) to render an Image on a surface. 

6. The apparatus of claim 1 , the image output terminal 
(18) including means for rendering MICR charac- 
ters on a surface, and 



IS 



the security algorithm in the security module 
(100) including means requiring a security pro- 
cedure for causing the security module to out- 
. put commands to the Image output terminal to 
20 render MICR characters on a surface. 

7. The apparatus of claim 1 . the security module (1 00) 
Including 

25 means for receiving image information from a 

. host computer, 
means (102) fortransferringthe Image Infornria- 
tion to the electronic subsystem, 
ah audit memory (130), and 

30 V means for copying a portion of the image infor- 
mation to the audit memory. 

8. A security module for a printing apparatus, compris- 
. ing: 

a logic unit (100), adapted to apply a security 
algorithm to a command signal (32) from an 
' electronic subsystem (16), the electronic. sub- 
system being adapted to output imagewise dig- 
ital data and a command signal to an image out- 
put terminal (18) for causing the imagiB. output 
terminal to render a desired image on a surface 
according to the digital data; and 
the logic unit being adapted to output an altered 
45 command signal to the image output terminal 

in response to the security algorithm. 

9. The module of claim 8, the logic unit being adapted 
to apply a security algorithm to a status signal (36) 
from a status element within an apparatus for pro- 
ducing an image on a sheet in response to image- 
wise digital data from the electronic subsystem (16),. 
the status element being adapted to produce a sta- 
tus signial in response to a physical condition within 
the apparatus, and 

the logic unit being adapted to process the sta- 
tus signal according to the security algorithm, 
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and selectably output an altered status signal 
to the electronic subsystem. . - 

10. The module of claim 8, comprising 

5 

a secure character set (112) resident therein, 
the secure character set being transferable to 
a font generator in the electronic subsystem 
(16) for outputting character bitmaps in the dig- 
ital data, and 

the logic unit being adapted to transfer the se- 
cure character set to the font generator in re- 
sponse to a security procedure associated with 
the security algorithm. 
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